VeriSign has announced plans to build a new standard for online authentication.
Citing the growing problem of online fraud and the cost and complexity of current user authentication products, the company used the RSA security conference in San Francisco to reveal an open standards architecture for strong authentication across the Internet.
The initiative, called the Open Authentication Reference Architecture (OATH), is intended to replace the patchwork of proprietary products for user authentication and provisioning currently used on the Internet, allowing users to seamlessly access services on corporate networks and the Web, VeriSign executives said.
Strong authentication is a term that describes multi-factor authentication, usually combining a physical item like an access card or token with a secret password for users to access network resources.
The new architecture will be "90 percent" based on open standards such as LDAP (Lightweight Directory Access Protocol) and RADIUS (Remote Authentication Dial-In user Service). The effort will also rely on cooperation from leading software and hardware makers, said Mark Griffiths, vice president of authentication at VeriSign.
A new universal authentication service launched by VeriSign as part of the OATH architecture will use VeriSign's ATLAS (Advanced Transaction Look-up and Signaling) directory and database technology to provide an Internet-wide authentication network service. ATLAS was developed by VeriSign and matches requests for Web pages with the Internet Protocol addresses of the host Web servers on the company's DNS servers.
Using OATH, organisations can use VeriSign's ATLAS service for user authentication on the public Internet. Currently, authentication is usually performed by systems running within the enterprise, Griffiths said. OATH will solve a number of problems hampering the growth of Internet commerce and new services, Griffiths said.
Problems such as online identity theft, the proliferation of insecure and unwieldy user passwords, and the high cost of implementation for strong authentication technology could all be resolved with an Internet-wide authentication service like OATH, he said.
"The Internet needs a strong security architecture to reach the next level. We're at a point where we believe that, as an industry, we can create a tipping point. This is an opportunity for people to change the Internet," he said.
Hardware and software companies from cell-phone manufacturers to identity management software makers will be able to integrate with the OATH architecture. That will encourage those companies to build open strong authentication features into their products without worrying that doing so will make it impossible for them to work with other platforms and applications, the company said.
VeriSign is working with portable device manufacturers to build open authentication tokens into their products, Griffiths said.
In the future, users will be able to log on to a variety of services, including e-mail, Web-based e-commerce sites and telecommunications services, using a common password and authentication token embedded in a portable USB (Universal Serial Bus) device, smart card, cell phone or PDA (personal digital assistant), he said.
In one sign of support for the initiative, IBM plans to announce that it is making its Tivoli identity management software compatible with the new service, a company spokesman said.
IBM Tivoli Identity Manager, IBM Tivoli Access Manager and IBM Tivoli Directory Server will "talk" to VeriSign's new OATH services. For example, Tivoli Identity Manager will be able to provision new user accounts that use the new strong authentication service. Tivoli Access Manager will allow security managers to define which users need to communicate with VeriSign's service, IBM said.
Other vendors also signalled support for the new service at RSA, including user authentication software maker ActivCard and smart card company Gemplus.
Version 1.0 of the OATH service will be launched in the third quarter of 2004. That version will work with Microsoft's Active Directory services and support hardware and software credentials such as PKI (public key infrastructure) and OTP (One Time Password authentication), the company said.
Another release in the fourth quarter, 2004, will support other platforms and LDAP-compliant directory services, including those by IBM and Sun Microsystems, VeriSign said.